I'm currently trying to build a pipeline to process Windows .evtx binary logs into usable JSON for easy searching and filtering on Linux, but due to going through xml, there is data that needs to be cleaned up with jq. The bash pipeline is currently this:
./evtx_dump.py <File.evtx> \| sed -e 's/version="1.1"/version="1.0"/g' \| yq -p xml -o json \| sed -e 's/+@//g' -e 's/+//g' \| jq '.Events'> <File.json>When processing the object through the pipeline above, it results in this output:
{"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event","System": {"Provider": {"Name": "Microsoft-Windows-Security-Auditing","Guid": "{<GUID>}" },"EventID": {<EVENT-ID data> },"EventData": {"Data": [ {"content": "S-<SID>","Name": "SubjectUserSid" }, {"content": "-","Name": "SubjectUserName" }, {"content": "-","Name": "SubjectDomainName" }, {"content": "<HEX>","Name": "SubjectLogonId" }, {"content": "<HEX>","Name": "NewProcessId" }, {"content": "Registry","Name": "NewProcessName" }, {"content": "%%2000","Name": "TokenElevationType" }, {"content": "0x0000000000000019","Name": "ProcessId" }, {"Name": "CommandLine" }, {"content": "<HEX>","Name": "TargetUserSid" }, {"content": "-","Name": "TargetUserName" }, { ...]Everything under .Event[].EventData.Data[] seems to have been organised under an array due to the conversion through XML - some of the array values also seem to have no .content (presumably because the presence of those data points indicates the result is TRUE). I'm able to clean up data a little with a jq filter like this: .Event[].EventData.Data | map( { (.Name|tostring):(.content|tostring) } ) | add, but that only seems to work for one event and it throws errors due to the null values. I can't expand the scope of the filter to this: .Event[] | map( { (.EventData.Data.Name|tostring):(.EventData.Data.content|tostring) } ) | add, but that approximates the outcome I'm going for.